Step 4. Enable Data Encryption

In this article

    At the Options step of the wizard, choose whether you want to encrypt backup files stored in the selected Amazon S3 bucket folder.


    If you have selected an existing folder at the Settings step of the wizard, and if encryption is enabled for this folder at the repository level, you must provide the currently used password or an encryption key to let Veeam Backup for AWS access this folder and add it as a backup repository. You cannot change encryption settings while adding the repository. However, you will be able to edit the repository settings later.

    To enable encryption for the backup repository, do the following:

    1. Click Edit Encryption Settings.
    2. In the Encryption settings window, set the Enable encryption toggle to On.
    1. Choose whether you want to use a password or an AWS Key Management Service (KMS) key to encrypt the backed-up data.  For more information on encryption algorithms, see Backup Repository Encryption.
    • To use password encryption, select the Use password encryption option and specify a password that will be used to encrypt data.
    • To encrypt data using AWS KMS keys, select the Use KMS encryption key option and choose a KMS key from the Encryption key drop-down list.

    For a KMS key to be displayed in the list of available encryption keys, it must be created in the AWS Region where the selected Amazon S3 bucket is located, and the IAM role specified to access the bucket must have permissions to the key. For more information on permissions required for the IAM role, see Repository IAM Role Permissions.


    If you select the Use KMS encryption key option, mind the following:

    • AWS manged keys cannot be used to encrypt repositories due to AWS limitations.
    • Only symmetric KMS keys are supported.
    • Do not disable KMS keys used to encrypt repositories, otherwise Veeam Backup for AWS will not be able to encrypt data, and backup policies policies that have encrypted repositories specified as backup targets will fail to complete successfully.
    • Do not delete KMS keys used to encrypt repositories, otherwise Veeam Backup for AWS will not be able to decrypt data stored in these repositories.

    If a KMS key is scheduled for deletion, it will acquire the Pending deletion state. In this case, Veeam Backup for AWS will raise the warning, and, during the following 7 days, you must either change the encryption settings for the backup repository in Veeam Backup for AWS or cancel the key deletion.

    For more information on managing AWS KMS keys, see AWS Documentation.

    Specifying Encryption Settings